DE102014112478A1 - Method for distributing tasks between computer systems, computer network infrastructure and computer program product - Google Patents

Abstract

The invention relates to a method for distributing tasks between secure computer systems in a computer network infrastructure. The method comprises the following steps: parallel reception of a task file by a plurality of switching computer systems, negotiation of a primary switching computer system from the group of switching computer systems for further processing of the task file, transmission of task information from the task file from the primary mediation computer system to a primary processing computer system of a plurality of processing computer systems, and performing at least one action on the primary processing computer system based on the transmitted task information. In addition, all of the group of the processing computer systems keep predetermined network ports closed, so that access via a network by means of these network ports is prevented. Furthermore, a corresponding computer network infrastructure and a computer program product for carrying out a corresponding method are described.

Description

The invention relates to a method for distributing tasks between secure computer systems in a computer network infrastructure, a corresponding computer network infrastructure and a computer program product for carrying out a corresponding method.

Distributed computer networks or so-called computer network infrastructures describe a plurality of computer systems that can communicate with one another via data connections. In some cases, confidential content is exchanged, which should not be accessible to unauthorized persons. In particular, in computer network infrastructures comprising server-client topologies, sensitive data, e.g. As customer data or user data, exchanged between the client and the server, whereby access of third parties to this data must be prevented.

Traditional security policies to increase privacy include regulations (processes that should be adhered to) or rules (bids or prohibitions) for third parties, such as administrators, that should allow only limited or controlled access to sensitive data.

On the other hand, technical measures are provided on or in the computer systems which are intended to prevent physical or logical access to computer systems or to restrict them to authorized persons.

Although such approaches to data protection are conducive to data security, they have the disadvantage that they are generally not compulsory measures to prevent access to confidential data.

Furthermore, common computer network infrastructures for the exchange of data or for communication with each other with access options, for example via network, or possibilities of responsiveness of services in the computer systems, which make the computer systems sensitive to attacks from outside. Because service responsiveness requires a running program on one or more network ports of a computer system. This ongoing program poses a potential security vulnerability to remote attacks over the network.

There is a danger that an attacker (cracker) gaining access to a computer system may be able to access sensitive data on this computer system and / or gain access to other computer systems in the computer network infrastructure, e.g. because he camouflages himself as trustworthy via a manipulated signature.

On the other hand, in a computer network infrastructure, the communication and processing of information between individual computer systems requires necessary communication structures. Such communication structures include load distribution, i. E. H. a distribution of certain actions or processes (tasks) between a plurality of participating computer systems or the determination of a computer system from a group of computer systems for taking over a task.

The object of the present invention is to improve the protection against attacks on computer systems within a computer network infrastructure, in particular the unauthorized access to confidential data, by technical measures and yet to propose a distribution of tasks within the computer network infrastructure, which provides a satisfactory forwarding of data within the computer network infrastructure.

In a first aspect, this object is achieved by a method for distributing tasks between secure computer systems in a computer network infrastructure according to claim 1.

• – paralleles Empfangen einer Task-Datei durch eine Mehrzahl von Vermittlungs-Computersystemen,
• – Aushandeln eines primären Vermittlungs-Computersystems aus der Gruppe der Vermittlungs-Computersysteme zur weiteren Verarbeitung der Task-Datei,
• – Übertragen von Task-Informationen aus der Task-Datei vom primären Vermittlungs-Computersystem an ein primäres Bearbeitungs-Computersystem aus einer Mehrzahl von Bearbeitungs-Computersystemen, sowie
• – Durchführen wenigstens einer Aktion im primären Bearbeitungs-Computersystem anhand der übertragenen Task-Informationen,

wobei alle aus der Gruppe der Bearbeitungs-Computersysteme vorbestimmte Netzwerk-Ports geschlossen halten, sodass ein Zugriff über ein Netzwerk vermittels dieser Netzwerk-Ports verhindert wird.The method comprises the following steps:

• Parallel receiving of a task file by a plurality of relay computer systems,
• Negotiating a primary switching computer system from the group of switching computer systems for further processing of the task file,
• Transferring task information from the task file from the primary relay computer system to a primary processing computer system from a plurality of processing computer systems, as well as
• Performing at least one action in the primary editing computer system based on the transmitted task information,

wherein all of the group of the processing computer systems keep predetermined network ports closed so that access via a network is prevented by means of these network ports.

Such a method allows a load distribution such that from a group of Switching computer systems, a primary computer system for further processing an incoming task file is selected. Thus, multiple individual tasks may be shared between multiple switch computer systems so that the total load of the switch computer system group may not be concentrated on a single computer system, but may be shared within the group of switch computer systems.

Furthermore, the method has the advantage that a dedicated switching computer system is determined as the primary computer system, which can automatically control the further course of the procedure. In particular, this includes communication with a plurality of processing computer systems within the computer network infrastructure.

In the method described here, all of the group of processing computer systems also behave as encapsulated systems. An access via a network to these computer systems is at least under certain operating conditions (advantageously permanently during the implementation of the method described here or the above method steps) not or only significantly more difficult possible.

The term "predetermined network ports" means that all or only selected security-critical network ports, e.g. the network ports used for this procedure are permanently or temporarily closed.

This has the advantage that no programs are set up or necessary on the processing computer systems which listen to the corresponding network ports for the purpose of addressability or connection setup from the outside (so-called "listening") and a potential security gap (e.g. through buffer overflow). Thus, the term "closed network ports" in this context means that they are not listening ports, i. no connection from the outside is allowed. A third party in this case will not be able to authenticate or log in externally over the network to a corresponding processing computer system, e.g. on Unix-based systems through a secure shell (SSH) daemon, or perform special actions on the editing computer system.

However, for a first user group, local access to a respective processing computer system may be established (e.g., for processors of the particular processing computer system). For other third parties, however, local access to a corresponding editing computer system is prevented.

Unlike the processing computer systems, however, the method allows access to a switching computer system from the group of switching computer systems from the outside. Each of the switching computer systems group is thereby accessible as an "open" system with at least one addressable network ("listening") network port. This means that, for example, programs and / or applications are prepared on a switching computer system so that a processing computer system can access a switching computer system and establish a connection to the switching computer system in order to obtain corresponding task information from the task list. To retrieve a file according to the presented method (via a "established" connection) from a switch computer system to perform at least one action based on the task information, or to return responses and / or results of the locally performed action in the switch computer system. From a security point of view, such an "open" brokerage computer system is similar to a traditional, specially secured computer system.

Thus, each switch computer system, in this case the primary switch computer system, serves as a (secure but addressable) switch for communication with the group of processing computer systems, which, however, are themselves encapsulated. In this way, a predefined method for distributing the load between switching computer systems for targeted information transfer by means of the group of switching computer systems is possible despite encapsulated processing computer systems.

• – das Speichern und/oder Verarbeiten (z.B. Ergänzen) von übertragenen Daten,
• – der Neustart eines Programms,
• – die Anweisung zu einem physischen Zugang zum jeweiligen Computersystem,
• – das Wiederherstellen von Backup-Daten oder
• – ein SSH-Zugriff auf das entsprechende Computersystem.

In this context, task files are prepared to execute predetermined processes (tasks) in a processing computer system and / or in a (unspecified) target computer system which is to perform a predetermined task from the task file. Such processes can, for. For example:

• The storage and / or processing (eg supplementing) of transmitted data,
• - the restart of a program,
• The instruction for a physical access to the respective computer system,
• - restoring backup data or
• - SSH access to the appropriate computer system.

Appropriate combinations of such actions and instructions are of course conceivable. The peculiarity of the present process consists in that by means of the task files, an event control of a processing computer system or a non-specified target computer system with appropriate information sharing is possible.

A task file differs fundamentally from a pure command command to a respective processing computer system, because a command command to its evaluation on the part of the editing computer system makes a continuously running, open to the outside and therefore vulnerable program necessary. However, as already explained, such a program is omitted in the present method in the absence of access via network to a respective processing computer system.

However, instructions to a processing computer system on a relay computer system may be prepared and fetched by the processing computer system, which on its own establishes a connection to the relay computer system. The instructions may then be e.g. processed locally on the editing computer system.

The term "task information from the task file" is to be understood as information that is present (e.g., embedded) in the task file. This may be information about instructions, descriptions, process data, signatures, passwords, etc. regarding actions to be performed. The task information may include parts from the task file or the entire task file as such. This means that as task information, parts of the task file or even the entire task file can be transferred to a processing computer system.

To transfer task information from the primary switch computer system to the primary edit computer system, a process may be initiated that calls the selected task information in the primary switch computer system and automatically transmits it from the primary switch computer system to the primary edit computer system. Advantageously, the automated transmission of the task information from the primary switching computer system to the primary processing computer system is configured such that a third party has no influence on it from the outside and thus a risk of manipulation of the primary processing computer system via the task information is excluded , For example, the task information may be encrypted. A (different) encryption can also be applied multiple times to parts of the task information or to entire data packets (which contain task information). The validity of the task information can then be checked in the primary processing computer system and a corresponding action taken. The validity of the task information can be checked using signatures that have been used to sign data packets.

Upon successful processing of the task information in the primary editing computer system, the task information may be transmitted back to the primary relay computer system. Thereafter, the task information can be transported further in the process, for. To a target computer system for performing a task on the target computer system based on the processed task information.

• – Erstellen eines ersten Interaktions-Paketes, in welchem die Task-Informationen enthalten sind, durch das primäre Vermittlungs-Computersystem,
• – Übertragen des ersten Interaktions-Paketes vom primären Vermittlungs-Computersystem an das primäre Bearbeitungs-Computersystem,
• – Extrahieren der Task-Informationen aus dem ersten Interaktions-Paket zum Durchführen der wenigstens einen Aktion im primären Bearbeitungs-Computersystem,
• – Erstellen eines zweiten Interaktions-Paketes, in welchem eine Rückantwort auf das erste Interaktions-Paket enthalten ist, durch das primäre Bearbeitungs-Computersystem,
• – Übertragen des zweiten Interaktions-Paketes vom primären Bearbeitungs-Computersystem zurück auf das primäre Vermittlungs-Computersystem nach Durchführen der wenigstens einen Aktion.

Advantageously, the method of the type described additionally comprises the following steps:

• By the primary switching computer system, creating a first interaction packet in which the task information is contained;
• Transferring the first interaction packet from the primary mediation computer system to the primary processing computer system,
• Extracting the task information from the first interaction packet to perform the at least one action in the primary processing computer system,
• Creating a second interaction packet, in which a response to the first interaction packet is included, by the primary processing computer system,
• Transmitting the second interaction packet from the primary processing computer system back to the primary mediation computer system after performing the at least one action.

Packing the task information into an interaction packet allows further information to be sent, e.g. Signatures of the primary mediation computer system, permissions, instructions, and so on. The task information of the original task file or the task information after performing the action in the primary processing computer system remain advantageous. Thus, e.g. Information about the communication between the primary relay computer system and the primary processing computer system of task information from the task file to perform a task, e.g. on another target computer system, to be differentiated.

It is also conceivable, the original task file or their task information by a signature of an independent (not specified here) key computer system as another Secure security instance against tampering within the primary relay computer system. Such a "base signature" remains verifiable despite wrapping the task information into the interaction packet and guarantees the authenticity of the task information. Triggering a (criminal) action in a processing computer system by a manipulated switching computer system can thereby be prevented or at least made much more difficult, because the "basic signature" offers a certain security against counterfeiting.

• – Ergänzen der Task-Informationen um weitere Daten und/oder
• – Signieren der Task-Informationen mit wenigstens einem privaten Schlüssel und/oder
• – Verschlüsseln der Task-Informationen mit einem öffentlichen Schlüssel eines Ziel-Computersystems.

Preferably, in the method of the type described, the at least one action in the primary editing computer system comprises at least:

• - Complete the task information with additional data and / or
• Signing the task information with at least one private key and / or
• Encrypt the task information with a public key of a target computer system.

For example, to perform the action on the primary editing computer system, the task information may be extracted from or unpacked from the interaction package, as discussed above. It is crucial for all actions that they are executed locally in a processing computer system involved, so that security-relevant passphrases or keys for processing and performing the actions only locally on the respective computer systems must be present or used and not within the computer network infrastructure, especially between the primary switch computer system and the primary edit computer system. This fact also increases the security against intruder attacks from outside.

• – Erstellen eines Informations-Pakets durch das primäre Vermittlungs-Computersystem, wobei im Informations-Paket ebenfalls Task-Informationen aus der Tasks-Datei und/oder Informationen über die wenigstens eine vermittels der Gruppe der Bearbeitungs-Computersysteme durchzuführende Aktion zusammengefasst werden,
• – Übertragen des Informations-Pakets vom primären Vermittlungs-Computersystem an alle aus der Gruppe der Bearbeitungs-Computersysteme,
• – Antworten wenigstens eines Bearbeitungs-Computersystems innerhalb einer vorbestimmten oder zufälligen Zeitspanne auf das übertragene Informations-Paket mit einer Bereitschaft zur weiteren Bearbeitung,
• – Bestimmen des erstantwortenden Bearbeitungs-Computersystems als primäres Bearbeitungs-Computersystem durch das Vermittlungs-Computersystem.

Advantageously, the method of the type explained comprises the additional steps:

• - Creating an information packet by the primary switching computer system, wherein in the information packet also task information from the task file and / or information on the at least one to be performed by means of the group of processing computer systems action is summarized,
• Transferring the information packet from the primary switching computer system to all of the group of processing computer systems,
• Responding to at least one processing computer system within a predetermined or random time period to the transmitted information packet with a readiness for further processing,
• Determine the first-responding editing computer system as the primary editing computer system by the relay computer system.

The above-mentioned measures of exchanging an information packet advantageously take place in the course of the process before the transfer of task information to the primary processing computer system (by means of the first interaction packet) and serve, in particular, initially to determine a primary processing computer system from the Most of the machining computer systems present in the computer network infrastructure. The second task information in the information packet may be different, overlapping, or identical in content from the task information (in the first interaction packet) discussed above.

To carry out these measures, predetermined time points or time intervals (so-called "time outs") are provided for the response of the processing computer systems or for selection, which processing computer system responds first, too late or not at all.

By means of the information package, all processing computer systems receive a message about the task file and / or the actions to be performed on the basis of the task file or the task information. In this way, each processing computer system can decide whether it can, should or should be allowed to perform the corresponding task information or should or should be able to perform the corresponding action based on the task information.

Advantageously, a single primary processing computer system is determined based on the described measures, which carries out the further processing or processing of the task information and / or the implementation of the associated action.

In addition to a load distribution on the part of the switching computer systems carried by the measures explained at this point, an assignment or load distribution on the part of the processing computer systems. This has the advantage that from a group of processing computer systems, a dedicated computer system can take on a specific task. This can be done automatically by means of the illustrated method.

In particular, in the case of a so-called manual task, eg when the task information is released by an engineer from a group of processors who has one or more Associated with processing computer systems, it may be necessary for continuous implementation of the method to avoid dependence of the method of a particular person. The described measures thus permit a directed request to the group of processing computer systems by means of the information packet through the primary switching computer system and a subsequent selection and determination of a primary processing computer system which responds positively to the information packet.

As an alternative or in addition to the determination of the first-processing computer system, other criteria can also be used for the determination. For example, it is conceivable to associate a positive response of a processing computer system with a feedback of predetermined processing information of the corresponding processing computer system. Such processing information can be, for example, the availability, time, duration, utilization, etc. of the corresponding processing computer system.

It is conceivable to connect individual or all processing computer systems to the primary switching computer system via further switching computer systems.

• – Abwarten einer vorbestimmten oder zufälligen ersten Zeitspanne durch ein Vermittlungs-Computersystem nach Empfangen der Task-Datei,
• – Mitteilen einer Bereitschaft, die Bearbeitung als primäres Vermittlungs-Computersystem fortzuführen, durch das Vermittlungs-Computersystem an alle anderen Vermittlungs-Computersysteme nach Ablauf der ersten Zeitspanne,
• – erneutes Abwarten einer vorbestimmten oder zufälligen zweiten Zeitspanne durch das mitteilende Vermittlungs-Computersystem,
• – Validieren durch das mitteilende Vermittlungs-Computersystem nach Ablauf der zweiten Zeitspanne, dass dieses das einzige mit der Bereitschaft ist, die Bearbeitung als primäres Vermittlungs-Computersystem fortzuführen, sowie
• – Bestimmen des mitteilenden Vermittlungs-Computersystems als primäres Vermittlungs-Computersystem, falls das Validieren erfolgreich war.

Advantageously, in the method of the type described, the step of negotiating a primary switch computer system comprises the following substeps:

• Waiting for a predetermined or random first time period by a switching computer system after receiving the task file,
• Indicating a willingness to continue the processing as a primary switching computer system by the switching computer system to all other switching computer systems after the first period of time,
• Re-waiting a predetermined or random second time period by the notifying switch computer system,
• Validation by the notifying switch computer system after the lapse of the second time period that it is the only one willing to continue processing as the primary switch computer system, as well as
• Determine the communicating switch computer system as the primary switch computer system if the validation was successful.

The foregoing measures, which may be performed wholly or in part by any of the group of switching computer systems, allow the automated (and highly probable) designation of a switching computer system as a primary computer system (so-called "primary") for redistributing one incoming task file.

By waiting for the first time period by each switch computer system to receive the task file, it can be achieved that each switch computer system can decide whether to allow it to, as a primary task, forward, or should forward task information in the communication process. After waiting for the first time period, which may be individually predetermined for each switch computer system, a switch computer system notifies all other switch computer systems that it will continue processing as Primary. When another mediation computer system receives this message, it itself renounces assuming the role of primary.

After a second period of time, which may be, for example, greater than the first period of time, a switch computer system, which has declared itself as a potential primary to the others, in turn connects to the other switch computer systems to validate that it only primary is.

Advantageously, the substeps of negotiating a primary switch computer system are performed again (possibly with random wait at start) if the validation by the communicating switch computer system is the only one willing to continue processing as the primary switch computer system , was not successful.

For example, validation may not be successful if multiple mediation computer systems, possibly concurrent or overlapping in time, signal a readiness to continue processing each as the primary system. Due to parallelism in negotiation, two or more mediation computer systems may want to play the role of Primary. However, according to the method explained, since a load distribution, in particular a distribution of task files, between the participating switching computer systems is to be achieved, preferably only one single primary switching computer system can and should exist.

Advantageously, in the method of the type described, the step of negotiating a primary switch computer system is performed again after each parallel receive of a task file by the group of switch computer systems. Alternatively, the negotiation of the primary can be stored. Then, however, after each receiving a task file would be preferred primary mediation computer system rechecked. If the check results in unavailability of the primary switch computer system, negotiation is performed again according to the substeps explained above.

Preferably, in the method of the type described, the step of negotiating a primary switch computer system is performed again after each change in the set of switch computer systems. One change may be, for example, adding or removing switching computer systems in the cluster of the computer network infrastructure.

All participating computer systems of the computer network infrastructure, i. Mediation computer systems and editing computer systems are connected via network paths in their communication. In the case of unfavorable failure of one or more network paths, the so-called "split-brain problem" can occur in the computer network infrastructure. This problem occurs when network paths are broken to create two subgroups of involved computer systems that can no longer communicate with each other. Then one group knows nothing about the other and vice versa, because the communication is split.

When such a split-brain problem occurs, several primary computer systems may come up in negotiation and determination within the group of switching computer systems or within the group of processing computer systems (which may be split into subgroups). In this way, redundant data packets would be created, transmitted and possibly edited by several Primarys.

However, redundant data packets are noticed in the process at the latest when identical packets arrive at a destination. Thus, redundant data packets can be discarded, so that a split-brain problem leads to redundancy but to the filtering out of redundant information within the method. In the worst case, editing or manipulating redundant packets within a processing computer system results in diverging behavior. This can be taken into account by monitoring the identification of task packages, so that problem-solving measures can be taken if necessary.

In addition, redundant network paths within the computer network infrastructure can be used to minimize the likelihood of a split-brain problem.

• – Überwachen des primären Vermittlungs-Computersystems durch die sekundären Vermittlungs-Computersysteme auf Erreichbarkeit während der Durchführung des Verfahrens, sowie
• – Abbruch des Verfahrens und erneutes Aushandeln eines primären Vermittlungs-Computersystems, falls das Überwachen des primären Vermittlungs-Computersystems ergeben hat, dass dieses nicht oder nicht mehr erreichbar ist.

Advantageously, the method of the type explained comprises the steps:

• - Monitoring the primary switching computer system by the secondary switching computer systems for accessibility during the implementation of the method, as well
• Aborting the process and renegotiating a primary switch computer system if the monitoring of the primary switch computer system has revealed that it is not or no longer reachable.

In this way, it can be seen that a primary switching computer system can not or no longer perform the function of Primary. This leads to the renegotiation of a primary according to the method steps explained above.

Alternatively or in addition to monitoring the primary switch computer system, it would also be conceivable to mutually monitor each other or a plurality of switch computer systems. This would have the advantage that if there were a sudden unavailability of a plurality of switching computer systems, which is detected by other switching computer systems, the reference to a split-brain problem - as explained above - could be present. This could, for example, be communicated and logged via monitoring with regard to possible redundancy of forwarded data packets or task files.

• – Übertragen einer On-Hold-Anweisung vom primären Vermittlungs-Computersystem an alle nicht-primären Bearbeitungs-Computersysteme zur Signalisierung, dass diese in einen Warte-Betrieb gehen sollen. Auf diese Weise wird den nicht-primären Bearbeitungs-Computersystemen signalisiert, dass diese in Bezug auf entsprechende Task-Informationen (zunächst) keine weitere Aktion durchführen sollen.

In addition, in the method of the type explained, the step is additionally carried out:

• - transmitting an on-hold instruction from the primary switch computer system to all non-primary processing computer systems to signal that they are to go into wait mode. In this way, non-primary processing computer systems are signaled that they should (initially) perform no further action with respect to corresponding task information.

• – Übertragen einer Bearbeitung-Beendet-Anweisung vom primären Vermittlungs-Computersystem an alle aus der Gruppe der Bearbeitungs-Computersysteme, nachdem die wenigstens eine Aktion im primären Bearbeitungs-Computersystem durchgeführt wurde,
• – Bereinigen und/oder Entfernen sämtlicher Daten, die zur und während der Durchführung des Verfahrens in den Bearbeitungs-Computersystemen generiert wurden.

Advantageously, the method of the type explained additionally comprises the steps:

• Transferring a complete-edit instruction from the primary mediation computer system to all of the group of the editing computer systems after the at least one action has been performed in the primary-editing computer system,
• - clean up and / or remove all data generated during and during the execution of the process in the processing computer systems.

These measures have a double advantage. A first advantage is that after performing the action in the primary processing computer system, all data on involved processing computer systems associated with the forwarding of the task information (or other information or interaction packets as discussed above) in accordance with the described method related, can be adjusted. A second advantage is that all the processing computer systems (both primary and non-primary) recognize that the processing of the task information or action has been successfully completed.

Alternatively, an edit-and-finish instruction may also be sent after retransmitting the processed task information from the primary processing computer system to the primary switching computer system or at other predetermined times.

• – Senden einer vorbestimmten Sequenz an Paket-Daten vom Vermittlungs-Computersystem an das Bearbeitungs-Computersystem, wobei die vorbestimmten Netzwerk-Ports des Bearbeitungs-Computersystems geschlossen sind und wobei die Sequenz in einer vorbestimmten Reihenfolge einen oder mehrere Netzwerk-Ports des Bearbeitungs-Computersystems anspricht,
• – Überprüfen der gesendeten Sequenz auf Übereinstimmung mit einer vordefinierten Sequenz im Bearbeitungs-Computersystem, sowie
• – Veranlassen des Übertragens der Task-Informationen und/oder sonstiger Daten-Pakete und/oder Anweisungen durch das Bearbeitungs-Computersystem, falls die Überprüfung der gesendeten Sequenz positiv ist.

Preferably, transferring the task information and / or other data packets and / or instructions from a mediation computer system to a processing computer system comprises the following steps:

• Sending a predetermined sequence of packet data from the switch computer system to the edit computer system, wherein the predetermined network ports of the edit computer system are closed and wherein the sequence responds in a predetermined order to one or more network ports of the edit computer system .
• - Checking the sent sequence for compliance with a predefined sequence in the editing computer system, as well
• - causing the task information and / or other data packets and / or instructions to be transmitted by the processing computer system if the verification of the transmitted sequence is positive.

The additional method steps listed here have the advantage that, in principle, the network ports (relevant for the method) of the processing computer systems involved-in the above-explained sense-are closed and block a connection to the corresponding processing computer system from the outside or a manipulative access make it much more difficult. Initiating the transmission of the task information and / or other data packets and / or instructions via the receiving processing computer system may include an automated process for transmitting the respective task information to the processing computer system (eg, via the Unix-based command Secure Copy, scp). According to the process, the processing computer system in turn establishes a connection to the switching computer system and retrieves the task information or other data packets. This process can be started after a predetermined sequence of packet data has been sent to the editing computer system if that sequence matches a predefined sequence. The IP address of the sequence-transmitting computer system can be statically specified in the processing computer system or dynamically taken from the kernel of the processing computer system known source IP addresses possible sequence-sending computer systems.

Such a method is known by the term "port knocking" (to knock-knock). The abovementioned steps can be carried out, for example, via a so-called knock daemon, that is to say a program which enables port knocking. The knock daemon sits on the network ports of the edit computer system, examines the transmitted sequence of packet data, and, optionally, (eg, by starting a script / program), controllably transmits the appropriate task information from a relay computer system to the computer Processing computer system when the transmitted sequence matches a predefined sequence. The above-described procedure thus enables the transferring / copying of the task information from a relay computer system to the corresponding processing computer system, without the need for the editing computer system to maintain an open port with an addressable program for this purpose.

Alternatively or in addition to the above-described port-knocking is also conceivable that the involved processing computer system of its own at regular intervals in the mediation computer system requests (polling), whether to be exchanged task information. If so, an appropriate transfer of the task information from the switch computer system to the edit computer system may be initiated. It is also conceivable that the processing computer system polls if, for example, a certain amount of time is exceeded in which no port knocking has been performed. Problems with the port knocking could be recognized and the functionality is preserved.

The described measures enable communication between secure computer systems within the computer network infrastructure via the group of switching computer systems. In this way, the group of switching computer systems as well as the group of processing computer systems according to the present invention explained a kind of secure "communication middleware", whereby a load distribution between participating computer systems is performed.

• – eine Mehrzahl von Vermittlungs-Computersystemen, sowie
• – eine Mehrzahl von Bearbeitungs-Computersystemen, wobei die Computersysteme eingerichtet sind, Daten-Pakete und/oder Anweisungen von wenigstens einem aus der Gruppe der Vermittlungs-Computersysteme an wenigstens eines aus der Gruppe der Bearbeitungs-Computersysteme zu übertragen zur Verarbeitung der Daten-Pakete und/oder Anweisungen, wobei die Gruppe der Vermittlungs-Computersysteme und/oder die Gruppe der Bearbeitungs-Computersysteme jeweils eingerichtet sind, ein primäres Vermittlungs-Computersystem und/oder ein primäres Bearbeitungs-Computersystem zur Kommunikation auszuhandeln und/oder zu bestimmen, und wobei alle aus der Gruppe der Bearbeitungs-Computersysteme jeweils eine Zugriffssteuereinheit aufweisen, die eingerichtet ist, vorbestimmte Netzwerk-Ports zu schließen, sodass ein Zugriff über ein Netzwerk vermittels dieser Netzwerk-Ports verhindert ist.

The above object is achieved in a further aspect by a computer network infrastructure, which comprises at least:

• A plurality of mediation computer systems, as well
• A plurality of processing computer systems, the computer systems being arranged to transmit data packets and / or instructions from at least one of the group of switching computer systems to at least one of the group of processing computer systems for processing the data packets and and / or instructions, wherein the group of mediation computer systems and / or the group of processing computer systems are each arranged to negotiate and / or determine a primary mediation computer system and / or a primary processing computer system for communication, and all of the group of processing computer systems each have an access control unit configured to close predetermined network ports so that access via a network by means of these network ports is prevented.

Advantageously, such a computer network infrastructure is set up to carry out a method of the type explained above.

Even by a computer network infrastructure of this type, the advantages mentioned in connection with the method explained above arise analogously. All the advantageous measures explained in connection with the above method are used in corresponding structural features of the computer network infrastructure and vice versa.

In another aspect, the above object is achieved by a computer program product that is configured to run on one or more computer systems and that, when executed, performs a method of the type discussed above.

Further advantageous embodiments are disclosed in the subclaims and in the following description of the figures.

The invention will be explained in more detail with reference to a drawing below.

The figure ( 1 ) shows a schematic representation of at least a portion of a computer network infrastructure configured to perform load sharing between involved computer systems.

The computer network infrastructure in the exemplary embodiment shown comprises a group of switching computer systems, namely a task server 1 and a task server 2. Furthermore, the computer network infrastructure comprises a group of processing computer systems, namely an admin client 1, an admin Client 2 and an Admin Client 3.

The Admin Client Systems 1 through 3 behave as encapsulated systems with closed network ports. This is shown schematically by a hatched input / output level of these computer systems in the drawing. This means that at the network ports of the Admin clients 1 to 3 no running programs or services are necessary for external network addressability. Rather, access to the Admin Clients 1 to 3 via network due to the respective closed network ports is not possible.

However, a respective user group can locally access the Admin client 1 or 2 or 3 in order to initiate local actions there.

In contrast to the processing computer systems, the admin client 1 to 3, the switching computer systems, that is, the task servers 1 and 2, behave as "open" systems. The task servers 1 and 2 have thus opened at least one network port, with a service or an application running on the task servers 1 and 2 in order to allow external network responsiveness. For example, a network connection in these computer systems may be restricted via VPN ("Virtual Private Network") or SSH ("Secure Shell"), so that only predetermined, encrypted network connections with dedicated computer systems are permitted. The task servers 1 and 2 serve as intermediaries for communicating and forwarding data packets and / or instructions within the computer network infrastructure.

For communication between the addressable switch computer systems, task servers 1 and 2, and the encapsulated edit computer systems, Admin client 1 to 3, with their respective closed network ports, a predetermined process is established. Data packets and / or instructions can be transmitted directly from an Admin Client 1 to 3 to one or more of the Task Servers 1 and 2 and stored there, since the Task Servers 1 and 2 can be addressed directly via the network.

In the reverse direction, ie from task server 1 or 2 in the direction of the Admin clients 1 to 3, a port-knocking process is first performed, wherein a predetermined sequence of packet data from one of the task server 1 or 2 is sent to one or more of the Admin clients 1 to 3, the network ports of the respective processing computer system being closed, and wherein the sequence responds in a predetermined order to one or more network ports of the respective processing computer system. Subsequently, a check of the transmitted sequence in the corresponding processing computer system for compliance with a predefined sequence, as well as causing a transmission of a corresponding data packet and / or an instruction by the processing computer system, if the verification of the transmitted sequence is positive.

More specifically, the corresponding editing computer system starts a process that fetches a data packet to be transmitted from the corresponding relay computer system (task server 1 or 2). Such a process can be done, for example, via the Unix-based Secure Copy (SCP) command. In this way, the computer systems involved, despite encapsulated processing computer systems within the computer network infrastructure, can communicate with each other, forward data packets and / or issue instructions.

In the following, a load distribution or selection of dedicated computer systems for processing task files or task information from task files will be explained on the basis of several method steps which are listed as numbering in the drawing.

• – das Speichern, Ergänzen und/oder Verarbeiten von übertragenen Daten,
• – der Neustart eines Programms,
• – die Anweisung zu einem physischen Zugang zum entsprechenden Computersystem,
• – das Wiederherstellen von Backup-Daten,
• – das Einfügen weiterer Daten und/oder Informationen in eine übertragene Datei oder
• – ein SSH-Zugriff auf das entsprechende Computersystem.

In one step 1 a task file is transmitted from an unspecified location in each case to the task server 1 and the task server 2 and stored there. For example, the task file may include an instruction for a process (task) on one of the editing computer systems and / or on an unspecified target computer system. Such a process can be, for example:

• The storage, completion and / or processing of transmitted data,
• - the restart of a program,
• The instruction for a physical access to the corresponding computer system,
• - restoring backup data,
• - the insertion of further data and / or information into a transferred file or
• - SSH access to the appropriate computer system.

Appropriate combinations of such actions and instructions are of course conceivable.

After transferring the task file in step 1 to the respective task server 1 and 2 lead this in step 2 a negotiation by which of the two task servers 1 or 2 as the primary relay computer system performs the further processing of the task file. For this purpose, both task servers 1 or 2 can wait for predetermined time periods (time outs), after which, for example, task server 1 informs the task server 2 that task server 1, as the primary switching computer system (so-called primary), takes over the further processing becomes. Upon receipt of a corresponding message to task server 2, the latter will accordingly accept and confirm that task server 1 assumes the role of Primary.

If, for example, due to a temporal overlap, both switching computer systems task server 1 and task server 2 want to assume the role of the primary, this is recognized in a mutual validation and a negotiation of a unique, single primary is performed again.

In this way, a load distribution or selection of a computer system for further processing of the received task file can be executed between the switching computer systems, task server 1 and task server 2.

According to the embodiment of the drawing task server 1 takes over the role of Primary for further processing of the received task file. Task server 2 can either discard the task file or keep the task file for a fallback position in the event of failure of the task server 1. Furthermore, task server 2 can go into a wait mode.

For further processing of the task file, in particular for forwarding task information from the task file or the task file itself within the computer network infrastructure, task server 1 generates an information packet, wherein task information is contained in the information packet from the task file and / or information about at least one action to be performed by means of the group of processing computer systems are summarized. In particular, such information can be based on specifications within the task file, in particular existing or necessary signatures, existing time-outs, existing information about the further processing of the task file, etc.

Within the information package, information about the forwarding to all of the group of processing computer systems, that is, both Admin Client 1 and Admin Client 2 as well as Admin Client 3, according to a forwarding 1: n be set.

For this purpose, task server 1 calls predetermined routing information stored in the task file, the routing information having a predetermined communication path structure between the task server 1 and the processing computer systems, admin client 1 to 3, define.

In step 3 This routing information is processed for a 1: n forwarding to the editing computer systems.

In step 4 task server 1 performs a port-knocking process - as explained above - to all processing computer systems, Admin Client 1 to 3, by. Then, all the Admin Clients 1 to 3 retrieve the created information package from the Task Server 1.

In step 5 , which represents a significant process step, it is determined which of the processing computer systems admin client 1 to 3 carries out the further processing of further task information based on an evaluation of the transmitted information packet. Such a primary processing computer system may, for example, be determined based on predetermined time-outs within the information packet and / or on the fact that the processing computer system first responds positively to the transmitted and evaluated information packet. In the case of the constellation shown in the drawing, Admin Client 2 determines that he wants to carry out further processing.

In step 6 For this purpose, the admin client 2 calculates a routing to the task server 1 and transports in step 7 a positive response to the sent information packet to the task server. 1

In step 8th the positive response is registered in the task server 1 and the admin client 2 is set as the primary editing computer system. Thus, on the part of the processing computer systems, a task distribution or a selection of a specific processing computer system for direct communication with the primary relay computer system task server 1 is completed.

Furthermore, task server 1 creates in step 8th an interaction package which in turn contains task information of the original task file. In addition to this task information, the interaction packet may contain further information (eg signatures, authorizations, instructions, etc.) between the task server 1 and the admin client 2, the information of the original task file being preserved , Alternatively, the interaction package may also contain the original task file itself as task information.

It is also conceivable to protect the task information or the original task file itself by a signature of an independent (not specified here) key computer system. Such a "basic signature" remains verifiable despite packing the task information or the task file in the interaction package and guarantees the authenticity of the task information or the task file. Such a "basic signature" offers a certain security against counterfeiting.

In parallel, the task server 1 generates in step 8a so-called on-hold instructions for Admin Client 1 and Admin Client 3, which constitute the non-primary editing computer systems. Such on-hold instructions signal the admin client 1 and the admin client 3 that they should go into a wait mode.

In step 9 In the task server 1, a routing to the respective processing computer system Admin client 1 to 3 is calculated. In step 10 a retrieval of the interaction package from the task server 1 by the admin client 2 for a corresponding port-knocking process by task server 1. In step 10a the on-hold instructions are fetched by the admin clients 1 and 3 from the task server 1 for analogous execution of a port-knocking process by task servers 1 with respect to these computer systems.

In step 11 , which is also a significant step within the process, the admin client 2 extracts or unpacks the task information from the transmitted interaction packet as the primary processing computer system and uses this to determine an action that is locally on the admin client 2 has to be done. This action concerns, for example, the insertion of further data into the task information and / or a signing of the task information with at least one private key locally within the admin client 2 and / or an encryption of the task information with a public key of one not closer specified target computer system. According to the constellation from the drawing, for example, a signature of the task information by a private signature of an editor in the Admin Client 2 can be done.

The other editing computer systems Admin Client 1 and Admin Client 3 process in step 11a the fetched on-hold instruction and switch to a wait mode ("on hold") for a request for further action by the task server. 1

In step 12 the admin client 2 calculates a routing of the processed task information back to the task server 1, which has been informed to him as a primary switching computer system, for example by means of the previously sent information packet. Furthermore, the admin client 2 can package the processed task information after performing the corresponding action in a second interaction packet, which contains, for example, a return information for the task server 1.

Subsequently, in step 13 a return transport of the created in this way, second interaction package from the admin client 2 back to the task server. 1

Task Server 1 created in step 14 a Edit Complete statement for all Admin clients 1 through 3.

Further, in step 14a the supplemented and edited task information in the task server 1 is updated, e.g. B. added information that a predetermined step has been processed. Subsequently, in the task server 1, for example, the task file can be supplemented or recreated, for example, from the task information transported back.

In step 15 Finally, the task server 1 calculates routing of the edit-and-finish instruction to the admin clients 1 to 3.

In step 15a Furthermore, a routing for a further transport of the task file updated with the processed task information to an unspecified target computer system for performing a corresponding task in the target computer system is calculated.

In step 16 a port-knocking process is performed by the task server 1 with respect to all the admin clients 1 to 3, each picking up the processing-ended instruction from the task server 1. Through the Edit Complete statement, all Admin Clients 1 through 3 receive information that the process of processing task information has ended.

In step 16a In parallel to this, the further transport of the supplemented task file in the direction of the unspecified target computer system takes place so that the task file can finally be processed further outside the constellation shown in the drawing.

In a last step 17 In each Admin client 1 to 3, triggered by the edit-and-finish instruction, a data cleansing of the data generated in connection with the performed procedure is carried out and any executed jobs and actions are removed. The step 17 can be coupled to a timing. That means that step 17 is automatically performed if a predetermined period of time has been exceeded, regardless of which step of the method is or is being performed. Further, a user of each Admin client 1 to 3 may also perform the step 17 to be informed about the end of the action.

This completes the process.

In addition, another step could be 18 (Not shown) may be provided in the task server 1 from task server 2, the information is passed that the action has been completed successfully. If this is not done within a given amount of time, task server 2 may try to renegotiate the role of the primary (now by itself) and, if necessary, repeat the communication according to the method explained with the admin clients 1 to 3 a message from task server 1 to task server 2 is made when the specified time period for the action has been exceeded, but the action has not (successfully) been completed by the admin clients. As a result, the task server 2 receives the information that the action "formal" has ended. step 18 can be the last step after step 17 or alternatively, even before step 17 be implemented in the process.

Advantageously, each data packet which is exchanged between the participating computer systems according to the method explained is provided with an identifier in at least one participating computer system. Alternatively, an already existing identifier of a corresponding data packet can be added. This has the advantage that a data packet can also be traced over several instances of the communication path structure (so-called "tracing"). An addition to an identifier can be, for example, a mistake with a unique addition.

The course of the data packets along the communication path structure can be monitored by monitoring using the identifier, possibly in conjunction with existing signatures (forgery-proof). Further, a dwell time of the data packets may be monitored on a computer system involved along the communication path structure. In addition, all process steps can be logged by the monitoring.

On the basis of the identifier of a data packet, possibly in conjunction with stored routing information and / or signatures, it can be determined whether the communication path structure is adhered to and which computer systems can and can be achieved successfully in the routing. For example, the identifier can be used to verify that task information has been transmitted successfully from the primary switch computer system, task server 1, to the primary edit computer system, admin client 2, according to the illustrated constellation.

A residence time can z. B. defined within the task file. It can be specified here that after the residence time has expired, the task file or task information from the task file may not or may not be forwarded or may become unusable. This increases data security or conflict management within the computer network infrastructure.

If necessary, alarm messages can be generated or other measures can be taken by means of monitoring.

The monitoring, which is not shown in greater detail in the exemplary embodiment, can either be implemented by the computer systems involved or can be executed by further, unspecified computer systems. It is also conceivable and advantageous to carry out the monitoring via a separate network path structure.

The illustrated constellation of a computer network infrastructure is chosen only by way of example. For the sake of simplicity, only relevant components were presented.

LIST OF REFERENCE NUMBERS

Task server 1

 Switching computer system

Task server 2

 Switching computer system

Admin client 1

 Processing computer system

Admin client 2

Processing computer system

Admin client 3

Processing computer system

1 to 17

steps

Claims (15)

 A method of distributing tasks between secure computer systems in a computer network infrastructure, comprising the following steps: Parallel receiving of a task file by a plurality of relay computer systems, Negotiating a primary switching computer system from the group of switching computer systems for further processing of the task file, Transferring task information from the task file from the primary relay computer system to a primary processing computer system from a plurality of processing computer systems, as well as Performing at least one action in the primary editing computer system based on the transmitted task information, wherein all of the group of processing computer systems keep predetermined network ports closed so as to prevent access via a network by means of these network ports.  The method of claim 1, further comprising the steps of: By the primary switching computer system, creating a first interaction packet in which the task information is contained; Transferring the first interaction packet from the primary mediation computer system to the primary processing computer system, Extracting the task information from the first interaction packet to perform the at least one action in the primary processing computer system, Creating a second interaction packet, in which a response to the first interaction packet is included, by the primary processing computer system, Transmitting the second interaction packet from the primary processing computer system back to the primary mediation computer system after performing the at least one action.  The method of claim 1 or 2, wherein the at least one action at least comprises: - Complete the task information with additional data and / or Signing the task information with at least one private key and / or Encrypt the task information with a public key of a target computer system. Method according to one of claims 1 to 3, comprising the additional steps of: - Creating an information packet by the primary switching computer system, wherein in the information packet also task information from the task file and / or information about the at least one means summarizing the action to be taken by the group of processing computer systems, transmitting the information packet from the primary switching computer system to all of the group of processing computer systems, responding to at least one processing computer system within a predetermined or random period of time on the transmitted information Package with a readiness for further processing, Determine the first-responding editing computer system as the primary editing computer system by the relay computer system.  Method according to one of claims 1 to 4, wherein the step of negotiating a primary switching computer system comprises the following substeps: Waiting for a predetermined or random first time period by a switching computer system after receiving the task file, Indicating a willingness to continue processing as a primary switching computer system by the switching computer system to all other switching computer systems after the first time period has elapsed, Re-waiting a predetermined or random second time period by the notifying switch computer system, Validation by the notifying switch computer system after the lapse of the second time period that it is the only one willing to continue processing as the primary switch computer system, as well as Determine the communicating switch computer system as the primary switch computer system if the validation was successful.  The method of claim 5, wherein the substeps of negotiating a primary switch computer system are performed again if the validation by the communicating switch computer system that it is the only one willing to continue processing as the primary switch computer system was unsuccessful ,  The method of any one of claims 1 to 6, wherein the step of negotiating a primary switch computer system is performed again after each parallel receive of a task file by the group of switch computer systems.  The method of any one of claims 1 to 7, wherein the step of negotiating a primary switch computer system is performed again after each change of the set of switch computer systems.  Method according to one of claims 1 to 8, additionally comprising the steps: - Monitoring the primary switching computer system by the secondary switching computer systems for accessibility during the implementation of the method, as well Aborting the process and renegotiating a primary switch computer system if the monitoring of the primary switch computer system has revealed that it is not or no longer reachable.  Method according to one of claims 1 to 9, additionally comprising the step: Transmitting an on-hold instruction from the primary switching computer system to all non-primary processing computer systems for signaling that they should go into a wait mode.  Method according to one of claims 1 to 10, additionally comprising the steps: Transferring a complete-edit instruction from the primary mediation computer system to all of the group of the editing computer systems after the at least one action has been performed in the primary-editing computer system, - clean up and / or remove all data generated during and during the execution of the process in the processing computer systems.  The method of any one of claims 1 to 11, wherein transferring the task information and / or other data packets and / or instructions from a mediation computer system to a processing computer system comprises the steps of: Sending a predetermined sequence of packet data from the switch computer system to the edit computer system, wherein the predetermined network ports of the edit computer system are closed and wherein the sequence responds in a predetermined order to one or more network ports of the edit computer system . - Checking the sent sequence for compliance with a predefined sequence in the editing computer system, as well - causing the task information and / or other data packets and / or instructions to be transmitted by the processing computer system if the verification of the transmitted sequence is positive. A computer network infrastructure, comprising at least: - a plurality of switching computer systems, and - a plurality of processing computer systems, wherein the computer systems are arranged, data packets and / or instructions from at least one of the group of switching computer systems to at least one of the group of processing computer systems for processing the data packets and / or instructions, the group of the switching computer systems and / or the group of processing Computer systems are each arranged to negotiate and / or determine a primary switching computer system and / or a primary processing computer system for communication, and wherein all of the group of the processing computer systems each comprise an access control unit that is set up, predetermined network ports close, so that access via a network through these network ports is prevented.  A computer network infrastructure according to claim 13, arranged to perform a method according to any one of claims 1 to 12.  A computer program product adapted to be executed on one or more computer systems and which, when executed, performs a method according to any one of claims 1 to 12.

Images